Operation mode | ||||
Reverse Proxy | Offline Protection | True Transparent Proxy | Transparent Inspection | |
Matches by | • Service • Virtual server | Virtual server’s network interface, but not its IP address. | V-zone (bridge), but not its IP address. | V-zone (bridge), but not its IP address. |
Violations | Blocked or modified, according to profile. | Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise. | Blocked or modified, according to profile. | Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise. |
Profile support | • Inline protection profiles • Auto-learning profiles | • Offline protection profiles • Auto-learning profiles | • Inline protection profiles • Auto-learning profiles | • Offline protection profiles • Auto-learning profiles |
SSL | Certificate used to offload SSL from the servers to FortiWeb; can optionally re-encrypt before forwarding to the destination server. | Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. | Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. | Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. |
Forwarding | • Forwards to a server pool member using the port number where it listens; similar to a network address translation (NAT) policy on a general-purpose firewall. • Can route connections to a specific server pool based on HTTP content. | Lets the traffic pass through to a server pool member, but does not load-balance. | Forwards to a server pool member (but allowing to pass through, without actively redistributing connections) using the port number where it listens. | Lets the traffic pass through to a member of a server pool, but does not load balance. |